ESB-2022.5899

Operating System:
Published:
16 November 2022
Protect yourself against future threats.
//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.
Resources > Security Bulletins > ESB-2022.5899
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.5899
                           runc security update
                             16 November 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           runc
Publisher:         Red Hat
Operating System:  Red Hat
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-29162  

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2022:8090

Comment: CVSS (Max):  5.6 CVE-2022-29162 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: runc security update
Advisory ID:       RHSA-2022:8090-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8090
Issue date:        2022-11-15
CVE Names:         CVE-2022-29162 
=====================================================================

1. Summary:

An update for runc is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The runC tool is a lightweight, portable implementation of the Open
Container Format (OCF) that provides container runtime.

Security Fix(es):

* runc: incorrect handling of inheritable capabilities (CVE-2022-29162)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2086398 - CVE-2022-29162 runc: incorrect handling of inheritable capabilities

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:
runc-1.1.4-1.el9.src.rpm

aarch64:
runc-1.1.4-1.el9.aarch64.rpm
runc-debuginfo-1.1.4-1.el9.aarch64.rpm
runc-debugsource-1.1.4-1.el9.aarch64.rpm

ppc64le:
runc-1.1.4-1.el9.ppc64le.rpm
runc-debuginfo-1.1.4-1.el9.ppc64le.rpm
runc-debugsource-1.1.4-1.el9.ppc64le.rpm

s390x:
runc-1.1.4-1.el9.s390x.rpm
runc-debuginfo-1.1.4-1.el9.s390x.rpm
runc-debugsource-1.1.4-1.el9.s390x.rpm

x86_64:
runc-1.1.4-1.el9.x86_64.rpm
runc-debuginfo-1.1.4-1.el9.x86_64.rpm
runc-debugsource-1.1.4-1.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-29162
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY3PhJ9zjgjWX9erEAQglkQ/+NMfaKI3svFA8CoZJjJxelGD7l5Q1fw+r
5rNT54DLvkHMqsx63bIs07+jMXmbzUQgCBUub8yWI7pkTdGnq9KsRvsElLwnOWAN
elSl2ReDtUmynMubZrlWYZ93RdkOXAfWlzV4MYW7GnCu6TGokkdC/a0VBEOh/h4C
RtIiXsvDI5frm9XYIPAMicI8FUR56ONR1Cob3Z2Pe9i63dAs4WXxVm/Cv11WyzQf
+sqWACstPa87iY6NAak+8Kbw4nCEmGxRQR9z9vfQEUxG0y9DxExMkusKTm1Gx2SS
lQ4YLcpkDtIpcoebcNMgR2G79+JEgezIF2rFV7euqX2hYPnhlHJTN5R9vnNIwLwL
KyuLiRrRn9dIpXnUIhDqknOZmu8GnUIBmEYf5ibU2IdLCI5cC5U93QIN8NnW/0Jf
SGlrtnc+pgT4/Pnrrh40odxerL8GwxFX0qPg0Jqta5wp3JuO3E7pXWZMNUBd5Npu
mYmX3Vncsz34mNi83fDtFzgwh24BB9NuOk5X2M392Yrn6I0yAO+nxGouakeSFNdm
TC072mzT/7Di1Q/Tkz7/oh3C1Xj1ub/YIJDBYcVyHQ3HNcR2nHJC2OhQMOqgLFEc
Ie0qLhk33CcbWh5JcNi8+zAQBLKT5E/Ii0o0Wp9KvfWkkW+HEoAFHqsjhl/lql6s
V8IOomEs/qU=
=KNI1
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY3Q5BMkNZI30y1K9AQjP6Q/5AW5V683++dUuGmpCpJu4NujtO7Kqhh8E
79m+iaASvF7+EMlgdKIVSLUfI4IQewL3El30mWXhLjL4I1hqu2DxMFtpdpQcWMXq
gOItdveX2/cVnVlTS8AB5cQigqGgnpUlBsPqDY4xitUGzsXJkxrg6rEZPg4gEx36
9aG+S9Euj8OJCcXJFqxNrSArJEGy37/rNrD31MfInkkCnT4dat1p+ZPz1eCjzPz4
A/eLBZKgct06/IOEUxdtPEC9LU9a789zAJ61qCSodlqMtTPCdtRTW53BGij12XRP
+H1qgC3eH5a/mLQsx/Ui+Kiye7AeRexwXMm9BksgqJtSSuweNBMErrugq9EOe4Ig
+bi2GlnU/OACbriWwU19+PKHaIOgQu+d4+otzYFWNXJ43uwYPUi0FXFZF5QQvsVf
GZN9+4cS0d/G1KpSaxq1OBiWg4VvKvzlYsaS3myQGgZRp1F6XiHC6woqwmZLkuX9
DA1KuEdDk0CwStHQED5okGSFJ6vkozzbQrSdcN81uiTnC0QZEeEIJIhsHMLdxytM
e2a5b0Lah0g5VUgJSsway3Fp6vmRVAlDboJ/f1LYqEAImcLCYTvMZ1roWVQBU3BK
9d4CtyQyJFwwmi5vaeajHdNc50seT83OIVhu9mhbgi1HNpPzjAwSHKndK1lNYMuo
B7AE9b2PZo0=
=zNQI
-----END PGP SIGNATURE-----